Comments on: CardBoosterShop Bot (CBSBot) for Magic Online (mtgo) has an account-stealing backdoor!

By: Nerdmaster

Nerdmaster — Fri, 13 Feb 2009 19:57:00 +0000

I'm betting somebody could do this pretty easily with a small amount of research.

However, that will no longer allow one to run the bot - it now stores all data remotely, so if you don't allow it to contact the CBS site, you effectively have no bot. I keep meaning to write a "mock" site so that a little hackery (/etc/hosts kind of thing, but for windows) could allow me to run a "safe" bot, but the work involved just isn't worth it....

And that's not even the full problem - it could be that the software still has password-stealing mechanisms where the author types in a special command and your bot spits out the password in a trade window. I don't know if this is the case, but it's not something I can rule out easily these days.

By: Marius

Marius — Thu, 05 Feb 2009 04:35:18 +0000

Ok im not an expert in any field of some sorts, but i was reading this and it got me thinking isnt it possible to run a program that blocks ALL internett connections except from the required to wizards, i bet they have spesific adresses like login.mtgo.wizards1.com for example and such? and just block everything apart from the ones your really need?

By: Richaal

Richaal — Tue, 09 Dec 2008 00:36:12 +0000

Hi, wow i started playing today since mtgo v2 and i see this whole mess with cbs. I remember the good old yatbot that used to be good. I was gonna use cbs but i think i wont know. Im gonna start developing a yatbot like bot that trades cards for cards and cards for tix ive done bots for mmorpgs and for mtgo v2 so im expecting a beta version 2 months from now well xmas is near so maybe earlier lets see if i can get most of the job done during these vacations. I warn you guys its gonna be a basic bot, dont expect anything better than trading cards for cards or tix untill 2-4months after the realease of the basic bot. Only issue is you might need a dual-core quad-core to run more than one bot.

By: Nerdmaster

Nerdmaster — Mon, 01 Dec 2008 07:05:37 +0000

Yeah, I had some other tips, but it appears the latest obfuscator is just insane, so none of my contacts has had much luck really checking out the latest bot.

I continue to be botless, but better that than having my computer compromised, I suppose.

By: Formerbotuser

Formerbotuser — Thu, 20 Nov 2008 17:50:54 +0000

Hi, After the problems posted on the gleemax forum about this bot i went looking into Reverse Engineering the bot cause i want to know what the maker was able to see (paypal pass maybe?!?!). But since i’m not exactly a computer genius it didnt work out for me although i found a program that should give you the opportunity to take a look into the code (coded with autoIt3 i believe). On this forum: http://defcon5.biz/phpBB3/viewtopic.php?f=5&t=234&st=0&sk=t&sd=a&start=50 you can read about how to get the code.. It doesnt seem to work for me atm, but ill try to contact the programmer of myAut2Exe if he could help me out here..

Ill keep you posted…

By: Nerdmaster

Nerdmaster — Wed, 29 Oct 2008 03:17:08 +0000

No idea.... I've found one that actually looks like the ripped-off version of CBS the author was talking about. So if anybody finds a legit bot out there, I'd LOVE to hear about it!

By: botwanted

botwanted — Sat, 25 Oct 2008 07:16:04 +0000

what's a safe bot to use?

By: Newbunkle

Newbunkle — Tue, 14 Oct 2008 15:38:21 +0000

As I posted over on the Magic forums, this is both terrifying and awesome. I haven't been so interested in a scandal like this since Limbo of the Lost. You're a genius for figuring this out, well done.

By: Nerdmaster

Nerdmaster — Sun, 12 Oct 2008 20:05:20 +0000

Andrew, rasguy, I actually considered that at first, but after some investigating, that string is exactly the same no matter what user or password you type into the bot. I can't figure out why the author did that, other than perhaps to claim that it's always been like that or something. Or maybe to confuse me into trying to decrypt it.

By: rasguy

rasguy — Sun, 12 Oct 2008 14:01:45 +0000

I don't think that is a dummy string. I believe it's the same information encrypted.